Do You Need a Personal Firewall?

Windows has an effective built-in firewall, your home network adds another layer of protection, and your security suite has its own firewall. Is the personal firewall utility dead?

You probably know that Windows 10 has an effective firewall built right in, but did you realize that included firewall protection goes all the way back to Windows XP? A third-party firewall that doesn't stealth ports and protect the network as well as Windows Firewall is in big trouble, and just matching the built-in firewall's abilities isn't sufficient. Most third-party firewalls take control of the way programs use your network and the internet, a feature Windows Firewall doesn't really expose. In addition, your security suite probably includes its own firewall component. With these resources available, do you even need a personal firewall?

Before I start, there's something I should point out. Unless you're that rare individual who uses a single computer connected directly to the internet, you've got another powerful layer of defense against online attack. The wireless router that doles out connections to all your devices also protects them. It uses Network Address Translation, or NAT, to assign each device an IP address in a range that's only visible within the local network. That alone is enough to block many direct attacks. Some routers have additional security layers baked in.

Of course, when you're on the road you don't get any benefit from the router sitting back in your home or office. In fact, you're vulnerable to attack by other users on that insecure airport wireless. The cafe that offers free Wi-Fi? A shady cafe owner could sift through all the internet traffice, capturing handy items like credit card numbers. When you're on the road, you really need a Virtual Private Network, or VPN.

The VPN encrypts your web traffic all the way to a server operated by the VPN company. Ad sites and other trackers see the VPN's IP address, not your own. And you can also use a VPN to spoof your geographic location, perhaps to view region-locked content, or to protect yourself when traveling in a country with restrictive internet policies. You may not need a firewall, but you do need a VPN.

Port Protection

Your computer's internet connection grants you access to a limitless collection of entertaining and informative websites and videos. It also opens your computer to access by others via the internet, though connecting through a router does limit the possibilities for damage. One major firewall task involves permitting all valid network traffic and blocking suspect or malicious traffic.

Your PC's ports, the entry points for network connections, can be open, closed, or stealthed. When a port is stealthed, it's not visible at all to an outside attacker, which is ideal. Windows Firewall alone is completely capable of stealthing all your PC's ports, and any ports behind a router appear stealthed. In fact, to test firewalls, I have to use a PC that's connected through the router's DMZ port, which means it appears to have a direct internet connection.

Most firewalls allow for multiple configuration profiles, depending on your network connection. Traffic within your home network needs fewer restrictions than traffic to and from the internet. If you're connected with a public network, the firewall cranks up its security level.

Program Control

Early personal firewalls were notorious for bombarding users with a plethora of popup queries. They'd note that a program was attempting to access a particular IP address via a particular port, and ask the user whether to allow or block the connection. Few users have the knowledge to make an informed response to such a query. Typically, users either always click Block or always click Allow. Those who make Block the default response eventually wind up disabling something important, after which they switch to clicking Allow. Those who always click Allow risk letting in something they shouldn't.

High-end firewalls like the ones built into Kaspersky and Symantec Norton Security Premium get around this problem by completely internalizing program control. They configure permissions for known good programs, wipe out known bad programs, and monitor the behavior of unknowns.

Other firewalls use their own techniques for cutting down on popup queries. For example, Check Point ZoneAlarm Free Firewall checks a massive online database called SmartDefense Advisor and automatically configures permissions for known programs. In the rare event that it does display a popup query, you should pay careful attention, as a program not found in the database might be a zero-day malware attack.

Most firewalls take note when a trusted program changes in any way. The change might be an update, it might be a virus infection, or it might be a malicious program just using the name of a trusted program.

Sneakier malware attempts to connect to the internet by manipulating or masquerading as a trusted program. I sometimes use utilities called "leak tests" to check whether firewalls detect these sneaky techniques. However, modern Windows versions have made life so tough for these techniques that leak tests are becoming less useful.

Beyond the Firewall

High-end firewalls such as you get with Norton and Kaspersky Internet Security include additional protection against network-based attacks, usually in the form of a Host Intrusion Prevention System (HIPS), Intrusion Detection System (IDS), or both. Among other things, these components serve to protect against attacks that exploit security vulnerabilities in the operating system or popular programs. In between the time a vulnerability is discovered and the time the vendor patches that security hole, malefactors can launch attacks that gain control over victim systems.

The best HIPS and IDS systems catch exploit attacks at the network level, before they even reach the target system. Other security suite components, particularly the antivirus, may eliminate the malicious payload dropped by an exploit attack before it can do any harm. In testing, I use the CORE Impact penetration tool to get a feel for each firewall's response to such exploit attacks.

Who Needs a Firewall?

In the modern world, there's hardly ever a reason to consider installing a standalone personal firewall. The built-in Windows Firewall does half the job, and the firewall within your security suite takes care of the rest. The era of the computer hobbyist who'd carefully and lovingly select each separate security component is long gone.

Sure, there could be a specific situation in which you want to install the absolute minimum of security. You can still get standalone firewall protection, though the number of available products has dwindled over the years. And there's no need to pay for a firewall. ZoneAlarm Free Firewall retains its title as Editors' Choice for free personal firewall protection. Pair it with a top free antivirus, or install its own built-in antivirus component, and you've got the bare bones of a security system.

More Inside PCMag.com

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of ... See Full Bio